Read my writeup to Paper machine
TL;DR
User: By observing the HTTP response we found office.paper domain on X-Backend-Server header, Found it’s run behind WordPress version 5.2.3 and by using WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts exploit we found URL for rocket chat, Inside the chat we found a chatbot, Using list directory command we found scripts directory, Using that we found run command which allows us to run commands, Using that we get a reverse shell as dwight user.
Root: By enumerating we found Polkit running, Using CVE-2021-3560 we get a root shell.